From 663d8fb0f84c0f3aade8974fbf3a2ddb255f54a5 Mon Sep 17 00:00:00 2001 From: William Breathitt Gray Date: Wed, 5 Jan 2022 18:30:52 +0900 Subject: counter: 104-quad-8: Fix use-after-free by quad8_irq_handler MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On unbind an irq might be pending which results in quad8_irq_handler() calling counter_push_event() for a counter that is already unregistered. This patch fixes that situation by passing the struct counter_device dev to devm_request_irq() rather than the parent's so that the irq handler is cleaned before the counter is unregistered. Fixes: 7aa2ba0df651 ("counter: 104-quad-8: Add IRQ support for the ACCES 104-QUAD-8") Cc: Syed Nayyar Waris Reported-by: Uwe Kleine-König Signed-off-by: William Breathitt Gray Link: https://lore.kernel.org/r/20220105093052.258791-1-vilhelm.gray@gmail.com Signed-off-by: Greg Kroah-Hartman --- drivers/counter/104-quad-8.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'drivers/counter') diff --git a/drivers/counter/104-quad-8.c b/drivers/counter/104-quad-8.c index 1fbb3923797c..a17e51d65aca 100644 --- a/drivers/counter/104-quad-8.c +++ b/drivers/counter/104-quad-8.c @@ -1188,8 +1188,8 @@ static int quad8_probe(struct device *dev, unsigned int id) /* Enable all counters and enable interrupt function */ outb(QUAD8_CHAN_OP_ENABLE_INTERRUPT_FUNC, base[id] + QUAD8_REG_CHAN_OP); - err = devm_request_irq(dev, irq[id], quad8_irq_handler, IRQF_SHARED, - counter->name, counter); + err = devm_request_irq(&counter->dev, irq[id], quad8_irq_handler, + IRQF_SHARED, counter->name, counter); if (err) return err; -- cgit v1.2.3-70-g09d2